Processing apparatus, program, or system of secret information

ABSTRACT

To provide a secure cryptographic device such as an IC card which can endure TA (Timing Attack), DPA (Differential Power Analysis), SPA (Simple Power Analysis), or the like as an attaching method of presuming secret information held therein, when the secret information held in the card or another information which is used in the secret information or an arithmetic operation using such secret information when such an arithmetic operation is performed is shown by a plurality of expressing methods and the arithmetic operation is performed, thereby making an arithmetic operation processing method different each time the arithmetic operation is performed and making each of an arithmetic operation time, an intensity of a generated electromagnetic wave, and a current consumption different.

TECHNICAL FIELD

The invention relates to a technique for assuring a security ofinformation.

BACKGROUND ART

According to an IC card, since the reading and writing operations ofinformation from/into the card are executed under a control of anarithmetic operation processing unit which the IC card itself has interms of its structure, the information can be safely managed ascompared with a magnetic card or the like. Therefore, attention is paidto the use of the IC card as means for safely managing information to bemade secret. In future, for example, it is expected that the use of anIC card having a function to decrypt an encrypted message and keyinformation necessary for such a function, an IC card having a functionto generate a digital signature to electronic data and key informationnecessary for such a function, or the like is further spread.

It is known that to find a private key by calculations from informationsuch as public key or digital signature which can be known by everyoneis very difficult in consideration of an amount of calculations and isactually impossible.

On the other hand, as a new menace to a device having a function such asencryption, decryption, signing, and the like such as an IC card or thelike (referred to as a secure cryptographic device), a possibility of anattacking method such as TA (Timing Attack), DPA (Differential PowerAnalysis), SPA (Simple Power Analysis), or the like for presumingimportant information (for example, private key) existing in such adevice by analyzing a processing time, a current consumption, agenerated electromagnetic wave, or the like under an ordinary usage fromthe outside of the device without physically and directly analyzing suchinformation has been pointed out. For example, if a private key to signis analyzed by those attacks, an influence such that a person withmalice can pretend to become a legal owner is larger, andcountermeasures against it are demanded.

The IC card has been disclosed in

-   -   a literature [Handbook], Rankl Effing, “Smart Card Handbook”,        John Wiley & Sons, 1997.

The secure cryptographic device has been disclosed in

-   -   a literature [ISO13491], ISO13491-1, “Banking-Secure        cryptographic devices (retail)-Part 1: Concepts, requirements        and evaluation methods”, First edition, Jun. 15, 1998.

The attacks such as TA (Timing Attack), DPA (Differential PowerAnalysis), SPA (Simple Power Analysis), and the like have been disclosedin

-   -   a literature [DPA], Paul Kocher, Joshua Jaffe and Benjamin Jun,        “Introduction to Differential Power Analysis and Related        Attacks”, 1998, and    -   a literature [TA], Paul Kocher, “Timing Attacks on        Implementations of Diffie-Hellman, RSA, DSS, and Other Systems”,        CRYPTO'96, 1996,    -   besides the above literature [Handbook].

Each of the attacking methods is based on a principle that a measurementresult which is indirectly obtained and internal information have acorrelation.

As a countermeasure against the Timing Attack to an IC card having adecrypting function of an RSA encryption, an idea of a countermeasureusing a technique called a blind signature has been shown in theliterature [TA]. It is a method whereby in order to make it difficult tocollect sample data which is message when the Timing Attack is made, anencrypted sentence which is given as an input is not directly decryptedbut an encrypted message to which random number information has beenadded is decrypted and an influence by the random numbers is finallyeliminated again, thereby obtaining a decrypted message. However, such amethod is inadequate in terms of a point that a process for raising datato the private key's power is still included.

DISCLOSURE OF INVENTION

The invention is made in consideration of the above problems and it isan object of the invention to provide means and technique for disablingsecret information in a secure cryptographic device such as an IC cardor the like to be presumed.

That is, another object of the invention is to provide means andtechnique which invalidate an attacking method such as TA (TimingAttack), DPA (Differential Power Analysis), SPA (Simple Power Analysis),or the like to a secure cryptographic device such as an IC card or thelike.

Further another object is to provide an IC card, a security module, asemiconductor chip, a system, a computer, and a program which use thosemeans and techniques.

To accomplish the above objects, according to the invention, there isprovided a secret information processing method in a secret informationprocessing apparatus constructed by an arithmetic operation processingcircuit, a storing circuit, and a signal line connecting them, wherebythe processing method is constructed so as to obtain a same processingresult as that obtained by processing the secret information and dataserving as a processing target by a well-known processing method,wherein secret information forming information different from the secretinformation and secret information forming information processing meansfor outputting the same processing result by using the secretinformation forming information and the data serving as a processingtarget are used.

Further, the secret information forming information processing means ofthe invention executes a process without making the secret informationappear on the arithmetic operation processing circuit, the storingcircuit, or the signal line.

As a specific example, the secret information is a private key fordecryption of an encrypted message or signing, the secret informationprocessing means is means for realizing a well-known algorithm of thedecryption or signing, and the processing result is a decrypted messageor a generated signature. To know the secret information from theoutside is made difficult by using the secret information forminginformation different from the private key and the secret informationforming information processing means for outputting a plain sentence ora signature as a processing result by using the secret informationforming information.

Further, the invention is constructed so that the secret informationforming information which is processed by the same secret informationforming information processing means can have a plurality of values.

Specifically speaking, the storing circuit of the invention constructsthe secret information forming information as a plurality of secretinformation portion information having a plurality of combinations andthey are held in the storing circuit.

By using those means, the secret information itself does not appear inany of the cases where it has been held in internal memory means, whereit is sent between the memory means and the arithmetic operating meansvia the signal line (internal bus) in the apparatus, and where it isprocessed by the processing means in the arithmetic operating means. Itis, therefore, difficult to obtain the secret information itself.Further, as for the secret information forming information, since adesired result can be obtained by the secret information forminginformation processing means which is used in combination with it, evenif only the relevant information is obtained, the secret information isnot obtained. Moreover, even if the attacker who intends to illegallyobtain the secret information finds the secret information forminginformation processing means, when there are a plurality of kinds ofdata which can be obtained as secret information forming information,the number of times of trial necessary for the attacker increases, sothat it becomes further difficult to obtain the secret information.

It is, therefore, difficult to obtain the secret information itself fromsuch a period of time, an intensity of the generated electromagneticwave, a current consumption, and the like.

To accomplish the above objects, means for reducing the correlationbetween the measurement result which is obtained indirectly and theinternal information is provided.

More specifically, the following means is used in the invention.

-   -   (1) In arithmetic operations using the information to be held        secretly, a plurality of expressions showing the information are        selectively used every arithmetic operation.    -   (2) The information which should be made secret and has been        held in the storing apparatus by a certain expressing method is        converted into another expression each time the arithmetic        operation using such information is executed or at a        predetermined timing or a timing determined at random, and the        original expression is rewritten by the converted new        expression.    -   (3) In arithmetic operations using information A to be held        secretly and information B different therefrom, a plurality of        expressions showing the information B are selectively used every        arithmetic operation.    -   (4) The information which is used in the arithmetic operation        using the information A to be held secretly, namely, the        information B different from the information A which should be        made secret and has been held in the storing apparatus by a        certain expressing method is converted into another expression        each time the arithmetic operation using the information A to be        made secret is executed or at a predetermined timing or a timing        determined at random, and the original expression is rewritten        by the converted new expression.

That is, the storing circuit of the invention further has convertingmeans for converting the secret information forming information intoanother secret information forming information, and the other secretinformation forming information is information for allowing the secretinformation forming information processing means to output the sameprocessing result as the above processing result.

Further, the arithmetic operation processing circuit of the inventionmakes the converting means operative at a predetermined timing.

By using the above means, the time which is required when the arithmeticoperation using the information A to be made secret, the intensity ofthe generated electromagnetic wave, current consumption, and the like donot become constant, so that the relations (correlation) among theinformation A to be made secret, the time which is required for thearithmetic operation using the information A, the intensity of thegenerated electromagnetic wave, and the current consumption are reduced.

As a specific example, the secret information forming informationprocessing means and the converting means are programs. Those programsare executed by arithmetic operating means such as a digital signalprocessor (referred to as a DSP), a central processing unit (referred toas a CPU), or the like.

According to the invention, there is provided a secret informationprocessing system for transmitting and receiving a processing resultusing the secret information by using the processing apparatus of thesecret information, wherein an apparatus on the receiver side of theprocessing result has means for setting the secret information forminginformation processing means and the secret information forminginformation into the storing circuit of the processing apparatus. Anapparatus on the user side of the processing apparatus has: means forinputting data as a processing target to the processing apparatus; meansfor receiving the processing result from the processing apparatus: andmeans for transmitting the received processing result to the apparatuson the receiver side.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a constructional diagram of an IC card in an embodiment of theinvention;

FIG. 2 is a flowchart for an expression converting program in the ICcard construction of FIG. 1;

FIG. 3 is a flowchart for an elliptic curve encrypting/decryptingprogram in the IC card construction of FIG. 1;

FIG. 4 is a flowchart for a common key encrypting/decrypting program inthe IC card construction of FIG. 1;

FIG. 5 is a constructional diagram of an IC card in an embodiment of theinvention;

FIG. 6 is a flowchart for a table data calculating program in the ICcard construction of FIG. 5;

FIG. 7 is a flowchart for a table lookup type elliptic curveencrypting/decrypting program in the IC card construction of FIG. 5;

FIG. 8 is a constructional diagram of an IC card in an embodiment of theinvention;

FIG. 9 is a flowchart for a point expression converting program in theIC card construction of FIG. 8;

FIG. 10 is a constructional diagram of an IC card in an embodiment ofthe invention; and

FIG. 11 is a flowchart for an ECDSA signature forming program in the ICcard construction of

FIG. 12 is a system diagram in an embodiment of the invention

BEST MODE FOR CARRYING OUT THE INVENTION

First Embodiment

An embodiment in which the invention is applied to an IC card having adecrypting function of an Elliptic Curve Encryption Scheme (ECES) as akind of elliptic curve encryption will now be described hereinbelow byusing the diagrams. The Elliptic Curve Encryption Scheme has beendisclosed in a literature [X9.63].

The elliptic curve encryption has been disclosed in

-   -   a literature [X9.63], “Working Draft: AMERICAN NATIONAL STANDARD        X.9.63-199x Public Key Cryptography For The Financial Services        Industry: Key Agreement and Key Transport Using Elliptic Curve        Cryptography”, American National Standards Institute, Jan. 9,        1999, and    -   a literature [IEEEP1363], “Standard Specifications For Public        Key Cryptography (Draft Version 9)”, IEEE P1363 Standard, IEEE,        Feb. 8, 1999.

In the embodiment, the information corresponding to the information(secret information) to be stored secretly is a private key which isused to decrypt the elliptic curve encryption. In the embodiment, it isassumed that an elliptic curve on a finite body of a prime number orderis used.

FIG. 1 is a constructional diagram of hardware of an IC card in theembodiment. An IC card 1001 comprises: an arithmetic operationprocessing unit 1002 constructed by a CPU or the like; a data storingunit 1004 and a program storing unit 1005 which are constructed bystoring circuits (memories); an I/O 1006 constructed by an interfacecircuit; and a bus 1003 for internally connecting those componentelements.

An expression converting program 1010, an elliptic curveencrypting/decrypting program 1011, and a common keyencrypting/decrypting program 1012 have been stored in the programstoring unit 1005 and are read out into the arithmetic operationprocessing unit 1002 and executed, respectively.

A system key 1009 in the elliptic curve encryption has been stored inthe data storing unit 1004. The system key is data to decide an ellipticcurve which is used in the elliptic curve encryption and haspreliminarily been released as a common value for the whole systemconcerned with the transmission and reception of an encrypted message.The system key includes the following values. That is, it includes:coefficients a and b of a definition expression y²=x³+ax+b of theelliptic curve; an order p of a finite body in which the elliptic curveis defined; coordinates of a point P called a base point fixed on theelliptic curve; an order n of the base point P; and a number h called acofactor such that (n×h) is equal to the number of rational points onthe elliptic curve.

Data (secret information forming information) showing a private key dwhich is used for decryption of the elliptic curve encryption has beenfurther stored in the data storing unit 1004. It is a characteristicpoint that the private key d itself is not stored in the data storingunit. In the embodiment, the secret information forming information isexpressed by a combination of private key partial information d_(A) 1007and private key partial information d_(B) 1008 as secret informationforming partial information. More specifically, a difference in a modulo(n) of d_(A) 1007 and d_(B) 1008 is equal to a value of the private keyd. Further, the elliptic curve encrypting/decrypting program 1011corresponding to the secret information forming information processingmeans is constructed so that they can be correctly processed. There area plurality of combinations of d_(A) 1007 and d_(B) 1008. For example,assuming that a value of d_(A) 1007 is set to the private key d itselfand a value of d_(B) 1008 is set to 0 (zero), the combination of d_(A)1007 and d_(B) 1008 becomes an example of the expression of the privatekey d. If the value of d_(A) 1007 is set to 0 (zero) and the value ofd_(B) 1008 is set to n−d (mod n), the combination of d_(A) 1007 andd_(B) 1008 also becomes an example of the expression different from thatof the private key d mentioned above.

An outline of the operation of each program will now be describedhereinbelow.

A decrypting process of the elliptic curve encryption by the ellipticcurve encrypting/decrypting program 1011 will be first described. Theelliptic curve encrypting/decrypting program 1011 is a program includingan arithmetic operation on the elliptic curve which is determined by thesystem key 1009 stored in the data storing unit 1004 and a program forcalculating a point dR on the elliptic curve from a point R 1013 fordecryption given as an input from the outside of the IC card 1001 andinformation indicative of the private key stored in the data storingunit 1004, namely, in the embodiment, from the private key partialinformation d_(A) 1007 and private key partial information d_(B) 1008 asan expression of the private key information without obtaining theprivate key d and calculating a common key for decryption which isnecessary to decrypt a encrypted message m 1014 by the common keyencrypting/decrypting program 1012. The common key for decryptionobtained as an output of this program becomes a part of the input of thecommon key encrypting/decrypting program 1012.

Subsequently, a decrypting process of the encrypted message by thecommon key encrypting/decrypting program 1012 will be described. Thecommon key encrypting/decrypting program 1012 is a program for inputtingthe common key for decryption obtained as an output of the ellipticcurve encrypting/decrypting program 1011 and the encrypted message m1014 given as an input from the outside of the IC card 1001, decryptingthe encrypted message m 1014, and outputting a result of the decryptionas a decrypted message m′ 1015 to the outside of the IC card 1001.

In the embodiment, although the common key encrypting/decrypting processby the common key encrypting/decrypting program 1012 is performed in theIC card 1001, this process can be also executed by an external apparatuswhich can transmit and receive information to/from the IC card 1001, forexample, by a PC or the like which can transmit and receive informationto/from the IC card 1001 via an IC card reader/writer. In this case, theinput to the IC card 1001 is the decrypting point R 1013 and the outputfrom the IC card 1001 is the common key for decryption as an output ofthe elliptic curve encrypting/decrypting program.

A flow of the basic operation by the above three programs in case ofdecrypting the encrypted message m 1014 at the time when the IC card1001 is used will be summarized as follows.

First, the elliptic curve encrypting/decrypting program 1011 calculatesthe common key for decryption without obtaining the private keyinformation d from the decrypting point R 1013 as an input from theoutside of the IC card 1001 and the private key partial informationd_(A) 1007 and private key partial information d_(B) 1008 stored in thedata storing unit 1004. Subsequently, the common keyencrypting/decrypting program 1012 decrypts the encrypted message m 1014as an input from the outside of the IC card 1001 by using the common keyfor decryption calculated by the elliptic curve encrypting/decryptingprogram 1011 and outputs it as a decrypted message m′ 1015.

Thus, the encrypted message m can be decrypted.

Since the encrypted message m can be decrypted without allowing theprivate key d to appear in the data storing unit 1004, bus 1003, andarithmetic operation processing unit 1002 as mentioned above, it isdifficult to presume the value of the private key by the TA (TimingAttack), DPA (Differential Power Analysis), SPA (Simple Power Analysis),or the like.

In the embodiment, the values of the private key partial informationd_(A) 1007 and private key partial information d_(B) 1008 stored in thedata storing unit 1004 are fixed. Therefore, each time the decryption isexecuted, the private key partial information d_(A) 1007 and private keypartial information d_(B) 1008 as fixed values are supplied to thearithmetic operation processing unit 1002 from the data storing unit1004 via the bus 1003. Since the elliptic curve encrypting/decryptingprogram 1011 executes the same calculation every time, the calculatingtimes for this period of time, the intensities of the generatedelectromagnetic wave, the current consumptions, and the like are alsoset to the same values, respectively. It means that there is apossibility that the value of the private key partial information ispresumed by the TA (Timing Attack), DPA (Differential Power Analysis),SPA (Simple Power Analysis), or the like.

In the invention, the expression converting program 1010 is used as afurther another countermeasure against those attacks.

A converting process of the expression of the private key information bythe expression converting program 1010 will now be described. Theexpression converting program 1010 is a program for converting oneexpression of the private key information read out from the data storingunit 1004 into another expression and substituting (rewriting) this newexpression for the original expression in the data storing unit 1004. Inthe embodiment, the expression converting program 1010 is a program fornewly forming a combination of private key partial information d_(A)′and private key partial information d_(B)′ of another expression fromthe combination of private key partial information d_(A) 1007 andprivate key partial information d_(B) 1008 as one expression of theprivate key information read out from the data storing unit 1004 andrewriting the original expression d_(A) 1007 and d_(B) 1008 in the datastoring unit 1004 by the new expression d_(A)′ and d_(B)′.

Since the values of the private key partial information d_(A) 1007 andprivate key partial information d_(B) 1008 are rewritten to the othervalues by executing the expression converting program 1010, the datawhich is supplied from the data storing unit 1004 to the arithmeticoperation processing unit 1002 via the bus 1003, the time which isrequired when the elliptic curve encrypting/decrypting program 1011 isexecuted in the arithmetic operation processing unit 1002, the intensityof the generated electromagnetic wave, the current consumption, and thelike are changed to the different values. Thus, a presumption of thevalue of the private key by the TA (Timing Attack), DPA (DifferentialPower Analysis), SPA (Simple Power Analysis), or the like can be madefurther difficult.

The expression converting program 1010 can be executed every time justbefore the elliptic curve encrypting/decrypting program 1011 isexecuted, can be also executed every time just after the elliptic curveencrypting/decrypting program 1011 was executed, can be executed whetherthe elliptic curve encrypting/decrypting program 1011 is executedseveral times, or can be also executed at a random timing irrespectiveof the execution of the elliptic curve encrypting/decrypting program1011. As countermeasures against the TA (Timing Attack) or DPA(Differential Power Analysis) for the elliptic curveencrypting/decrypting program 1011, it is desirable that the frequencyof execution of the expression converting program 1010 is large.

The details of the operation of each program will now be described.

FIG. 2 shows a flow for the expression converting program 1010 in FIG.1.

-   -   Step 2001: Start    -   Step 2002: Form random numbers k (0≦k<n).    -   Step 2003: Read the private key partial information d_(A) 1007        and private key partial information d_(B) 1008 from the data        storing unit 1004.    -   Step 2004: Calculate d_(A)′=d_(A)+k(mod n) and        d _(B) ′=d _(B) +k(mod n)    -   Step 2005: Write d_(A)′ and d_(B)′ into the positions in the        data storing unit 1004 where the private key partial information        d_(A) 1007 and private key partial information d_(B) 1008 have        been written, respectively.    -   Step 2006: End

FIG. 3 shows a flow for the elliptic curve encrypting/decrypting program1011 in FIG. 1.

-   -   Step 3001: Start    -   Step 3002: Set Q=0 (point at infinity)    -   Step 3003: Read decrypting point R 1013 from the outside of the        IC card 1001.    -   Step 3004: Read the private key partial information d_(A) 1007        and private key partial information d_(B) 1008 from the data        storing unit 1004.    -   Step 3005: Set i=|n| (|n| denotes a bit length of the order n of        the base point P).    -   Step 3006: If (the ith bit of d_(A) 1007, the ith bit of d_(B)        1008)=(1, 0), step 3008 follows (it is assumed that the ith bit        is counted so as to increase as it approaches the upper bit        while setting the least significant bit to the first bit).    -   Step 3007: If (the ith bit of d_(A) 1007, the ith bit of d_(B)        1008)=(0, 1), step 3010 follows. If NO, step 3009 follows (the        ith bit is counted so as to increase as it approaches the upper        bit while setting the least significant bit to the first bit).    -   Step 3008: Set Q=Q+R and step 3010 follows (“+” indicates an        addition of the points on the elliptic curve).    -   Step 3009: Set Q=Q−R and step 3010 follows (“−” indicates a        subtraction of the points on the elliptic curve).    -   Step 3010: Set i=i−1.    -   Step 3011: If i>0, set Q=2Q and step 3006 follows (“2Q” denotes        a calculation for doubling of the point Q on the elliptic        curve).    -   Step 3012: Output x coordinate xQ of Q as a common key for        decryption.    -   Step 3013: End

The details of the addition of the points on the elliptic curve in step3008, the subtraction of the points on the elliptic curve in step 3009,and the calculation for doubling of the point on the elliptic curve instep 3011 have been disclosed in the literature [IEEEP1363].

The procedure of the elliptic curve encrypting/decrypting program 1011is the same as the method called a binary method which is widely used toobtain a value dR which is scalar times as large as a point on anelliptic curve when it is assumed that the private key partialinformation d_(A) 1007 and private key partial information d_(B) 1008 asan expression of the private key d are set to (d_(A)=d, d_(B)=0),respectively. On the other hand, when expression of the private key d isan expression in which the number of combinations of the bits is thesmallest as in the case where the private key partial information d_(A)1007 and private key partial information d_(B) 1008 are set to (the ithbit of d_(A) 1007, the ith bit of d_(B) 1008)=(1, 0) or (0, 1), such aprocedure is the same as an arithmetic operation by a scalar timearithmetic operating method of a point on an elliptic curve using theoptimum addition-subtraction chain known as a method of obtaining thescalar time dR of the point on the elliptic curve at a high speed.

A technique such that a plurality of expressing methods of the privatekey d are selectively used as mentioned above denotes that the variouswell-known arithmetic operating methods are selectively used as anarithmetic operating method of obtaining the scalar time arithmeticoperation dR of the point on the elliptic curve and the dR isarithmetically operated. Consequently, each of the execution time of theelliptic curve encrypting/decrypting program 1011, the intensity of theelectromagnetic wave which is generated, the current consumption, andthe like differs every expressing method. Averagely, it is expected thatthe processing time is almost equal to that in case of using the binarymethod.

The arithmetic operating method on the elliptic curve using theaddition-subtraction chain has been mentioned in

-   -   a literature [ADD-SUB] F. Morain and J. Olivas, “Speeding up the        computations on an elliptic curve using addition-subtraction        chains”, Theoretical Informatics and Applications. Vol. 24, No.        6, 1990.

In the embodiment, by holding again the private key itself by adifferent expressing method at a proper timing, the information itselfto be made secret and the fixed value of the information regarding it donot exist in the IC card. Therefore, for example, even if the attackercan analyze the portion on the bus 1003 along which the informationflows when the data held in the data storing unit 1004 is sent to thearithmetic operation processing unit 1002, it is difficult to presumethe information to be made secret from the flowing information.

Further, even if a part of the data held in the data storing unit 1004is analyzed by the attacker by some means, the information to be madesecret does not necessarily leak. That is, in the case where theinformation itself to be made secret has been stored as a fixed value inthe data storing unit 1004, if the information of one bit of such avalue leaks, it means that a part of the information regarding theinformation to be made secret leaks. However, if the information is heldnot as the information itself to be made secret but by a certainexpression showing it in accordance with the invention, even if thevalue of d_(A) which is an expression of the information d to be madesecret and corresponds to the half in the combination of d_(A) and d_(B)as data actually held in the data storing unit 1004 leaks completely, noinformation leaks with respect to the information d itself to be madesecret.

This is because the attacker does not know how and by which partialinformation the information d is expressed and even if he knows that dis expressed by the combination of d_(A) and d_(B), a person who doesnot know how d is expressed by the value of d_(B) or the combination ofd_(A) and d_(B) cannot find any relation between d and d_(A).

In addition, according to the invention, since the information to bemade secret is held again by a different expressing method at a propertiming, even if the attacker knows the value of d_(B) at another timepoint later, he cannot find any relation between d_(A) and d_(B) atdifferent time points, so that the information regarding d does notleak.

FIG. 4 shows a flow for the common key encrypting/decrypting program1012 in FIG. 1.

-   -   Step 4001: Start    -   Step 4002: A common key c for decryption and the encrypted        message m 1014 are inputted. The common key c for decryption is        a common key xQ for decryption outputted in step 3012 of the        elliptic curve encrypting/decrypting program 1011.    -   Step 4003: The common key c for decryption and a bit length L of        the encrypted message m 1014 are inputted to “key derivation        function” and a mask train M of the length L is obtained as an        output. The “key derivation function” is a function such as to        output a mask train of the length L when the common key c for        decryption and the length L of the mask train which is outputted        are designated as inputs, and it is assumed that this function        has been installed as a part of the common key        encrypting/decrypting program 1012. The details of the “key        derivation function” have been disclosed in the literature        [X9.63].    -   Step 4004: The exclusive OR of the encrypted message m 1014 and        the mask train M (m′ XOR M) is calculated and a result is        outputted as a decrypted message m′ 1015 to the outside of the        IC card 1001.    -   Step 4005: End

Although an example in which the invention is applied to the IC cardhaving a decrypting function of the Elliptic Curve Encryption Scheme(ECES) as a kind of elliptic curve encryption has been shown in theembodiment, the invention can be also widely applied to other media.

For example, the invention can be also applied to an IC card having adecrypting function of the Elliptic Curve Augmented Encryption Scheme(ECAES) instead of the Elliptic Curve Encryption Scheme (ECES). In thiscase, in addition to the processes in the embodiment, a process forverifying whether the decrypted data is correct or not by using data formessage verification called MAC which has previously been sent togetherwith the encrypted data is added. The details of the Elliptic CurveAugmented Encryption Scheme (ECAES) have been disclosed in theliterature [X9.63].

Although the elliptic curve on the finite body of the prime number orderhas been used in the embodiment, an elliptic curve on a finite body ofcharacteristic 2 can be also used. An elliptic curve on anotherarbitrary finite body can be also used. Although the elliptic curvedefined by the equation y²=x³+ax+b has been used in the embodiment, anelliptic curve defined by another equation, for example, by²=x³+ax²+bxcan be also used. Although the encryption using difficulty of a discretelogarithm problem on the group which is formed by the rational points onthe elliptic curve has been used in the embodiment, it is also possibleto use an encryption using difficulty of the discrete logarithm problemon another group such as multiplicative group of the finite body,divisor class group on a hyperelliptic curve, divisor class group on aCab curve, or the like. In case of using those encryptions, it issufficient that the arithmetic operation based on the secret informationof the point on the elliptic curve in the elliptic curveencrypting/decrypting program 1011 is replaced with an arithmeticoperation based on the secret information in each group.

Further, even in case of an encryption other than the encryption usingthe difficulty of those discrete logarithm problems, more generally,even in case of something other than the encryption, the invention canbe also applied to an IC card having a function including an arithmeticoperation such that there is a certain number to be made secret and agroup arithmetic operation is repetitively performed the number of timescorresponding to the number to be made secret in a manner similar tothat in the embodiment. That is, although dR as a result obtained byexecuting the arithmetic operation to add R the number of timescorresponding to the number to be made secret (private key d) has beenobtained in the above elliptic curve encrypting/decrypting program 1011,it is sufficient to express the number to be made secret by a certainexpression in a manner similar to the above method and execute anarithmetic operation by the program corresponding to the elliptic curveencrypting/decrypting program 1011. As an example of such an encryption,for example, there is an RSA encryption or the like other than theencryptions using the difficulty of the foregoing discrete logarithmproblems. There is an RSA signature or the like as an example of afunction other than the encryption. The “group” used here denotes a setand is a group in which an arithmetic operation existing between theelements belonging to such a set has been defined.

The RSA encryption and signature have been disclosed in

-   -   a literature [APPLIED] Bruce Schneier, “Applied Cryptography”,        John Wiley & Sons, Inc. 1996.

Although the example in which the invention is applied to the IC cardhas been shown in the embodiment, the invention can be also widelyapplied to a media other than the IC card as a technique for more safelypreserving information to be made secret. For example, the invention canbe also applied to devices other than the IC card, namely, a securecryptographic device, a semiconductor chip, a PC, or a workstationhaving the same function.

Second Embodiment

The elliptic curve encrypting/decrypting program 1011 in the firstembodiment can be also modified as follows.

FIG. 5 is a constructional diagram of the IC card in the embodiment. Inthe embodiment, a program corresponding to the elliptic curveencrypting/decrypting program 1011 in the first embodiment comprises thefollowing two programs: a table data calculating program 5001 and atable lookup type elliptic curve encrypting/decrypting program 5002.

An outline of the operation of each program will be describedhereinbelow.

The table data calculating program 5001 is a program for inputting thepoint R 1013 for decryption which is given from the outside of the ICcard 1001, calculating the data in a table which is used in the tablelookup type elliptic curve encrypting/decrypting program 5002, andwriting a calculation result into a table data 5003 area in the datastoring unit 1004. This program executes a process which does not dependon the data showing the private key d included in the data storing unit1004, namely, the private key partial information d_(A) 1007 and privatekey partial information d_(B) 1008 in the embodiment. Therefore, thereis no anxiety about the leakage of the data regarding the private key deven if the program is attacked by the TA (Timing Attack), DPA(Differential Power Analysis), SPA (Simple Power Analysis), or the like.

The table lookup type elliptic curve encrypting/decrypting program 5002is a program for calculating a common key for decryption which isnecessary to decrypt the encrypted message m 1014 by the common keyencrypting/decrypting program 1012 from the private key partialinformation d_(A) 1007 and private key partial information d_(B) 1008stored in the data storing unit 1004 and the table data 5003 calculatedby the table data calculating program 5001.

The details of the operation of each program will now be described.

FIG. 6 shows a flow for the table data calculating program 5001 in FIG.5.

-   -   Step 6001: Start    -   Step 6002: The point R 1013 for decryption is read out from the        outside of the IC card 1001.    -   Step 6003: Points 3R, 2R, R, −R, −2R, and −3R on the elliptic        curve are calculated.    -   Step 6004: The table data 5003 is set to        -   T[00][00]=0 (point at infinity)        -   T[00][01]=−R        -   T[00][10]=−2R        -   T[00][11]=−3R        -   T[10][00]=R        -   T[01][0]=0 (point at infinity)        -   T[01][10]=−R        -   T[01][11]=−2R        -   T[10][00]=2R        -   T[10][01]=R        -   T[10][10]=0 (point at infinity)        -   T[10][11]=−R        -   T[11][00]=3R        -   T[11][01]=2R        -   T[11][10]=R        -   T[11][11]=0 (point at infinity) and they are stored in the            data storing unit.    -   Step 6005: End

FIG. 7 shows a flow for the table lookup type elliptic curveencrypting/decrypting program 5002 in FIG. 5.

-   -   Step 7001: Start    -   Step 7002: Set Q=0 (point at infinity)    -   Step 7003: The point R 1013 for decryption is read out from the        outside of the IC card 1001.    -   Step 7004: The private key partial information d_(A) 1007 and        private key partial information d_(B) 1008 are read out from the        data storing unit 1004.    -   Step 7005: If |n| is an even number, set i=|n|. If |n| is an odd        number, set i=|n|+1. (|n| is a bit length of order n of the base        point P)    -   Step 7006: With reference to the table data 5003 in the data        storing unit 1004, set S=T [the ith bit of d_(A) 1007, the        (i−1)th bit of d_(A) 1007] [the ith bit of d_(B) 1008, the        (i−1)th bit of d_(B) 1008](it is now assumed that the least        significant bit is set to the first bit and the ith bit is        counted so as to increase as it approaches the upper bit).    -   Step 7007: Q=Q+S is calculated (+denotes an addition of the        points on the elliptic curve).    -   Step 7008: Set i=i−2.    -   Step 7009: If i>0, set Q=4Q and step 7006 follows (4Q can be        obtained by repeating a doubling calculation of point Q on the        elliptic curve twice).    -   Step 7010: Output the x coordinate xQ of Q as a common key for        decryption.    -   Step 7011: End

The details of the addition of the points on the elliptic curve in step7007 and the doubling calculation of the points on the elliptic curve instep 7009 have been described in the literature [IEEEP1363].

Although the arithmetic operation has been performed to every twocontinuous bits of the private key partial information in theembodiment, it can be also performed by a method different from it. Forexample, an arithmetic operation can be performed to every threecontinuous bits or, generally, can be performed to every t continuousbits or every (|n|/j) bits which are away from each other by j bits. Itis necessary to change the table data calculating program 5001 to aprogram for calculating a proper value in accordance with the way ofseeing those bits of the private key partial information.

Also in the embodiment, the value of d itself does not appear during thearithmetic operation to obtain dR. Therefore, the time which is requiredfor the arithmetic operation to obtain dR, the intensity of theelectromagnetic wave which is generated, and the current consumption donot depend on the value of d itself. Consequently, it is difficult topresume the value of the private key d by an attack by the TA (TimingAttack), DPA (Differential Power Analysis), or the like.

Although the example in which the invention is applied to the IC cardhaving the decrypting function of the Elliptic Curve Encryption Scheme(ECES) as a kind of elliptic curve encryption has been shown in theembodiment, the invention can be also widely applied to other media in amanner similar to the first embodiment. Particularly, in case ofapplying the invention to an apparatus for performing a processincluding an arithmetic operation such that a group arithmetic operationto a certain predetermined element is repetitively executed the numberof times corresponding to the number to be made secret, there is no needto execute the table data calculating program 5001 every time but it issufficient to execute it only once. Therefore, the process can beexecuted at a high speed every time and this method is furthereffective. In this case, further, the table data can be also calculatedoutside of the apparatus (in case of the embodiment, IC card 1001). Asan example of an apparatus including such a process, for instance, an ICcard for performing a key forming process in the elliptic curveencryption can be mentioned. In this case, a process for obtaining thepoint dP on the elliptic curve from the private key information d formedas random numbers and the base point P as a fixed point is included.Therefore, the table data is calculated, for example, outside of the ICcard and can be previously stored in the IC card as a part of the systemkey information.

Third Embodiment

As a method of storing the table data into the table data 5003 area inthe second embodiment, the following method can be used.

Although the point on the elliptic curve is usually expressed by acombination of two values of the x coordinate and y coordinate by using2-dimensional affine coordinates, in case of performing the addition ofthe points or the doubling calculation of the points, mainly for thepurpose of performing the arithmetic operation at a high speed, such apoint can be also expressed by a combination of three values of the xcoordinate, y coordinate, and z coordinate. An example of such anexpression and an arithmetic operating method of the point on theelliptic curve in case of using such an expression has been disclosed asa projective coordinate in the literature [IEEEP1363]. The mutualconversion between the expression by the 2-dimensional affinecoordinates and the expression by the projective coordinate can beperformed as follows.

-   -   [From the 2-dimensional affine coordinates to the projective        coordinate] (x, y)−[x, y, 1]    -   [From the projective coordinate to the 2-dimensional affine        coordinates] [X, Y, Z]−(X/Z², Y/Z³)

It should be noted here that, according to the expression by theprojective coordinate, the expression showing the same point is notlimited to one kind. That is, assuming that t is set to a number whichsatisfies (0<t<p) (p denotes an order of the finite body which isdefined by the elliptic curve), the point [X, Y, Z] and the point [t²X,t³Y, tZ] show the same point (X/Z², Y/Z³).

As a method of storing the table data into the table data 5003 area inthe second embodiment, it can be stored by the expression by theprojective coordinate. In this case, even in case of the data showingthe same point, it can be stored by different expressions. For example,although the data indicative of a point 2R has been stored in T[10][00]and T[11][01], by storing by using those two data by differentexpressions, namely, by using T[10][00] [X, Y, Z] and T[11][01]=[X′, Y′,Z′] (where, it is assumed that X/Z²=X′/Z′², Y/Z³=Y′/Z′³ are satisfied),the arithmetic operating process in the case where T[10][00] is referredto during the execution of the table lookup type elliptic curveencrypting/decrypting program 5002 and that in the case where T[11][01]is referred to are different, so that each of the execution time, theintensity of the electromagnetic wave which is generated, the currentconsumption, and the like also differs.

FIG. 8 is a constructional diagram of the IC card in the embodiment. Inthe embodiment, a point expression converting program 8001 is added tothe second embodiment.

An outline of the point expression converting program 8001 will now bedescribed hereinbelow.

The point expression converting program 8001 converts the expression ofa point in the table data 5003 stored in the data storing unit 1004 andrewrites the table data 5003 by the converted value. It is assumed thatthe table data 5003 is expressed by the combination of three values ofthe x coordinate, y coordinate, and z coordinate expressed by theprojective coordinate by the table data calculating program 5001 andstored. That is, for example, the data expressed as (x, y) by the2-dimensional affine coordinates can be converted into [x, y, 1] andstored or when the table data 5003 is calculated in step 6003 of thetable data calculating program 5001, it is also possible to calculate itby using the projective coordinate and store a result into the tabledata 5003 as a projective coordinate as it is. The point expressionconverting program 8001 can be executed at an arbitrary point for a timeinterval until the table data 5003 is finally referred to after thetable data calculating program 5001 was executed. The program 8001 canbe executed any number of times for such a time interval. For example,the program 8001 can be executed just before the table lookup typeelliptic curve encrypting/decrypting program 5002 is executed or can bealso executed by interrupting during the execution of the table lookuptype elliptic curve encrypting/decrypting program 5002 if at least oneopportunity such that the table is referred to is left.

The details of the point expression converting program 8001 will now bedescribed.

FIG. 9 shows a flow for the point expression converting program 8001 inFIG. 8.

-   -   Step 9001: Start    -   Step 9002: Set i=00.    -   Step 9003: Set j=00.    -   Step 9004: Read [x, y, z]=T[i][j].    -   Step 9005: Form a random number k (0<k<p. p is an order of the        finite body which is defined on the elliptic curve).    -   Step 9006: Set [x, y, z]=[k² x (mod p), k³ y (mod p), k z (mod        p)] (p is an order of the finite body which is defined on the        elliptic curve).    -   Step 9007: Set T[i][j]=[x, y, z].    -   Step 9008: Set j=j+1 (j is expressed by the binary notation).    -   Step 9009: If j≦11 (expressed by the binary notation), step 9005        follows.    -   Step 9010: Set j=00.    -   Step 9011: Set i=i+1 (i is expressed by the binary notation).    -   Step 9012: If i≦11 (expressed by the binary notation), step 9005        follows.    -   Step 9013: End

In the embodiment, by executing the point expression converting program8001 at a proper timing, a plurality of data showing the same point, forexample, T[10][00] and T[11][01] are stored by the differentexpressions. Even in case of the same data T[i][j], since it is storedby the different expressions in dependence on the timings for referringto it, the processes including the arithmetic operation to refer to thetable data 5003 are different even if the input value is the same everytime. Therefore, the processing time, the intensity of theelectromagnetic wave which is generated, the current consumption duringthe process, and the like are not constant. That is, it means that thearithmetic operation using the private key and the table data 5003, thetime which is required for execution of the table lookup type ellipticcurve encrypting/decrypting program 5002, the intensity of theelectromagnetic wave which is generated, and the current consumption arenot constant. Therefore, it is difficult to presume the value of theprivate key by an attack such as TA (Timing Attack), DPA (DifferentialPower Analysis), or the like.

Although all of the point information included in the table data 5003has been converted by the point expression converting program 8001 inthe embodiment, only the data of one or a plurality of points selectedat random can be also converted instead of all points. As acountermeasure against the TA (Timing Attack) or DPA (Differential PowerAnalysis) for the table lookup type elliptic curve encrypting/decryptingprogram 5002, it is desirable to convert the expression of many pointdata and it is also desirable that an execution frequency of the pointexpression converting program 8001 is large.

Although the example in which the invention is applied to the IC cardhaving the decrypting function of the Elliptic Curve Encryption Scheme(ECES) as a kind of elliptic curve encryption has been shown in theembodiment, the invention can be also widely applied to other media in amanner similar to the second embodiment.

Fourth Embodiment

In the first embodiment, the information to be made secret, namely, theprivate key d is expressed by the combination of the private key partialinformation d_(A) 1007 and private key partial information d_(B) 1008.More specifically speaking, it is expressed so that the difference inthe modulo n between d_(A) 1007 and d_(B) 1008 is equalized to the valueof the private key d. In the first embodiment, d_(A) 1007 and d_(B) 1008are expressed as numbers which are equal to or larger than 0 and areless than n. However, they can be also expressed by the other methods.For instance, d_(A) 1007 can be expressed as a number which is equal toor larger than 0 and is less than 2n, or can be also expressed by acombination of three or more numbers such that the sum or difference ofthem is equal to the value of the private key d.

As another expression, for example, the value of d can be also expressedA an array of 1, 0, and −1 as follows. That is, it is assumed that theexpression (B_(n), B_(n−1), . . . , B₁, and B₀) shows the number2^(n)B_(n)+2^(n−1)B_(n−1)+ . . . +2¹B₁+2⁰B₀. It is assumed that B_(i) isone of 1, 0, and −1. This expression corresponds to the extension of theordinary binary expression. That is, an expressing method whereby B_(j)is limited to only 0 or 1 corresponds to the ordinary binary expression.To express 1, 0, and −1 on the memory, a method of expressing 0 in caseof 00, 1 in case of 01, and −1 in case of 11 by using two bits isconsidered.

When this expression is used, the expression converting program 1010 inthe first embodiment, for example, is changed as follows. It is assumedthat private key information d_rep expressed as an array of 1, 0, and −1has been stored in the data storing unit 1004 in place of thecombination of the private key partial information d_(A) 1007 andprivate key partial information d_(B) 1008.

-   -   Extension converting program (extension binary expression)    -   Step 10001: Start    -   Step 10002: Read the private key information d_rep from the data        storing unit 1004.    -   Step 10003: Form random numbers K,L (where, 0<K<L<|d_rep|.        |d_rep| is a bit length of d_rep).    -   Step 10004: Set the value B_(L+1) of the (L+1)th bit of the        private key information d_rep to B_(L+1)=B_(L+1)+1.    -   Step 10005: For all of i which satisfies K<i≦L, the value B_(i)        of the ith bit of the private key information d_rep is set to        B_(i)=B_(i)−1.    -   Step 10006: Set the value B_(K) of the Kth bit of the private        key information d_rep is set to B_(K)=B_(K)−2.    -   Step 10007: If each bit of the private key information d_rep is        equal to one of 1, 0, and −1, step 10013 follows.    -   Step 10008: Set j=|d_rep|.    -   Step 10009: If the value B_(j) of the jth bit of d_rep is equal        to 2, set B_(j+1)=B_(j+1)+1 and B_(j)=0.    -   Step 10010: If the value B_(j) of the jth bit of d_rep is equal        to −2, set B_(j+1)=B_(j+1)−1 and B_(j)=0.    -   Step 10011: Set j=j−1.    -   Step 10012: If j>0, step 10007 follows.    -   Step 10013: Write the updated private key information d_rep into        the data storing unit 1004.    -   Step 10014: End

The elliptic curve encrypting/decrypting program 1011 in the firstembodiment is changed as follows.

-   -   Elliptic curve encrypting/decrypting program (extension binary        expression)    -   [Step 3004] is changed as follows.    -   Step 11004: Read the private key information d_rep from the data        storing unit 1004.    -   [Step 3006] is changed as follows.    -   Step 11006: If the ith bit B_(i) of d_repl is equal to 1, step        3009 follows.    -   [Step 3007] is changed as follows.    -   Step 11007: If the ith bit B_(i) of d_repl is equal to −1, step        3010 follows.

Although the value of d is expressed as an array of 1, 0, and −1 in theembodiment, the value of d can be also expressed, for example, as anarray of 2, 1, 0, and −1 by similarly using the extension binaryexpression. The value of d can be also expressed as an array of t, t−1,. . . , 0, −1, . . . , −s (s, t≧0).

Further, the value of d can be also expressed as an array of severalnumbers which are not always continuous so long as it can express allvalues of d.

As another expression of the value of the private key information d, itcan be also expressed as a combination of two numbers whose product isequal to d. That is, in place of the combination of the private keypartial information d_(A) 1007 and private key partial information d_(B)1008 in the first embodiment, combinations dm_(A) and dm_(B) of twonumbers in which dm_(A)×dm_(B) (mod n) is equal to the value of theprivate key information d are stored in the data storing unit 1004, orit can be also expressed by a combination of three or more numbers suchthat the product is equal to d. Further, it can be also expressed by acombination of a plurality of numbers such that a predeterminedarithmetic operation result is equal to the private key information dwithout limiting to the product. In case of using the expressing methodby those various secret information forming information, a desiredresult is obtained by also using the secret information forminginformation processing means which can correctly process them.

When the expression by the combination of two numbers such that theproduct is equal to d is used, the expression converting program 1010 inthe first embodiment is changed, for example, as follows.

-   -   Expression converting program (product expression)    -   Step 12001: Start    -   Step 12002: The random number k which is larger than 0 and is        less than n is formed.    -   Step 12003: Read dm_(A) and dm_(B) from the data storing unit        1004.    -   Step 12004: Calculate dm_(A)′=k dm_(A) (mod n) and dm_(B)′=k⁻¹        dm_(B) (mod n).    -   Step 12005: Write dm_(A)′ and dm_(B)′ into portions where dm_(A)        and dm_(B) have been written in the data storing unit 1004,        respectively.    -   Step 12006: End

The elliptic curve encrypting/decrypting program 1011 in the firstembodiment is changed as follows.

-   -   Elliptic curve encrypting/decrypting program (product        expression) (Outline)    -   Step 13001: Start    -   Step 13002: Read the point R 1013 for decryption from the        outside of the IC card 1001.    -   Step 13003: Read dm_(A) and dm_(B) from the data storing unit        1004    -   Step 13004: Calculate Q=dm_(A) R.    -   Step 13005: Calculate Q=dm_(B) Q.    -   Step 13006: Output the x coordinate xQ of Q as a common key for        decryption.    -   Step 13007: End

The scalar time arithmetic operation of the point on the elliptic curvein steps 13004 and 13005 can be performed by an arbitrary method. Forexample, it can be performed by using the binary method or can beperformed by using the method shown in another embodiment by regardingthat dm_(A) and dm_(B) are the values of the private key themselves.

Although several examples of the expressing method of expressing thesecret information have been shown above, they can be also combined. Forexample, it is also possible to use a construction such that a pluralityof expressions by the different or same expressing method are stored inthe data storing unit 1004 and when the arithmetic operation using thesecret information is actually performed, one or a plurality ofexpressions among them are selected at random and the arithmeticoperation is performed by them. It is also possible to use aconstruction such that a plurality of processing means for processingthose expressions are stored and, when the arithmetic operation usingthe secret information is actually performed, one or a plurality ofprocessing means are selected at random and the arithmetic operation isperformed by them.

The secret information is preliminarily dispersed to n information sothat the original information can be reconstructed by a method called asecret dispersion when k of n information are collected, and those ninformation is used as an expression of the secret information.

The secret dispersion has been disclosed in

-   -   a literature [Shamir] Adi Shamir, “How to Share a Secret”,        Communications of the ACM, Vol. 22, No. 11, pp. 612-613, 1979.

By those means, it is possible to set such that the time which isrequired when the arithmetic operation using the information to besecretly stored is performed, the intensity of the electromagnetic wavewhich is generated, and the current consumption are not constant, and itis difficult to presume the value of the private key by the TA (TimingAttack), DPA (Differential Power Analysis), SPA (Simple Power Analysis),or the like.

Although the example in which the invention is applied to the IC cardhaving the decrypting function of the Elliptic Curve Encryption Scheme(ECES) as a kind of elliptic curve encryption has been shown in theembodiment, the invention can be also widely applied to other media in amanner similar to the first embodiment.

Fifth Embodiment

Although the example in which the invention is applied to, mainly, theprocess for calculating dR for the private key d and the given point Ron the elliptic curve has been shown in the first to fourth embodiments,the invention is also effective even for the other processes.

An embodiment in which the invention is applied to an IC card having asignature forming function of an ECDSA signature as a digital signaturesystem using an elliptic curve will now be described hereinbelow withreference to the drawings. The ECDSA signature has been disclosed in notonly the above literature [IEEEP1363] but also a literature [X9.62]“Working Draft AMERICAN NATIONAL STANDARD X9.62-1998, Public KeyCryptography For The Financial Services Industry: The Elliptic CurveDigital Signature Algorithm (ECDSA)”, American National StandardsInstitute, Sep. 20, 1998.

In the embodiment, the information corresponding to the information tobe secretly stored is a private key which is necessary to make an ECDSAsignature. In the embodiment, it is assumed that the elliptic curve onthe finite body of the prime number order is used.

FIG. 10 is a constructional diagram of the IC card in the embodiment.Different points from FIG. 1 as a constructional diagram of the IC cardin the first embodiment are that the elliptic curveencrypting/decrypting program 1011 and common key encrypting/decryptingprogram 1012 are not provided in FIG. 10, that an ECDSA signatureforming program 14001 is provided in FIG. 10, that an input and anoutput to/from the IC card 1001 are different, and that the informationshown by the combination of the private key partial information d_(A)1007 and private key partial information d_(B) 1008 denotes a privatekey for making the ECDSA signature instead of a private key fordecrypting the elliptic curve encryption in FIG. 10. The elements whichare common to those in FIG. 1 are designated by the same referencenumerals.

The ECDSA signature forming program 14001 will be described.

The ECDSA signature forming program 14001 inputs a signature targetmessage 14002 from the outside of the IC card 1001, inputs the privatekey partial information d_(A) 1007 and private key partial informationd_(B) 1008 from the data storing unit 1004, calculates a digitalsignature 14003, and outputs it to the outside of the IC card 1001. Thedigital signature to the electronic signature target message correspondsto a print of a seal to a paper document and becomes a proof showingthat the signer, namely, the owner of the private key guaranteed thecontents of the signature target message. The details of the ECDSAsignature have been disclosed in the literature [X9.62].

A flow of the fundamental operation by the expression converting program1010 and ECDSA signature forming program 14001 at the time when asignature is made in response to the signature, target message 14002 incase of using the IC card 1001 will be summarized as follows.

First, the ECDSA signature forming program 14001 calculates the digitalsignature 14003 from the signature target message 14002 as an input fromthe outside of the IC card 1001 and the private key partial informationd_(A) 1007 and private key partial information d_(B) 1008 stored in thedata storing unit 1004 without obtaining the private key d and outputsit to the outside of the IC card 1001.

Thus, the digital signature can be made.

As mentioned above, since the digital signature 14003 can be madewithout allowing the private key d to appear in the data storing unit1004, bus 1003, and arithmetic operation processing unit 1002, it isdifficult to presume the value of the private key by the TA (TimingAttack), DPA (Differential Power Analysis), SPA (Simple Power Analysis),or the like.

In the example, the values of the private key partial information d_(A)1007 and private key partial information d_(B) 1008 stored in the datastoring unit 1004 are fixed. Therefore, each time the signature is made,the private key partial information d_(A) 1007 and private key partialinformation d_(B) 1008 as fixed values are supplied every time from thedata storing unit 1004 to the arithmetic operation processing unit 1002via the bus 1003. The ECDSA signature forming program 14001 performs thecalculation by using the same value every time. Therefore, thecalculation time, the intensity of the generated electromagnetic wave,the current consumption, and the like for such a period of time alsodepend on those fixed values. It means that there is a possibility thatthe value of the private key partial information is presumed by the TA(Timing Attack), DPA (Differential Power Analysis), SPA (Simple PowerAnalysis), or the like.

In the invention, the expression converting program 1010 is used as afurther countermeasure against those attacks in a manner similar to thefirst embodiment. That is, since the values of the private key partialinformation d_(A) 1007 and private key partial information d_(B) 1008are rewritten to the other values by executing the expression convertingprogram 1010, the data flowing from the data storing unit 1004 to thearithmetic operation processing unit 1002 via the bus 1003, and each ofthe time which is required when the ECDSA signature forming program14001 is executed by the arithmetic operation processing unit 1002, theintensity of the electromagnetic wave which is generated, the currentconsumption, and the like are also made different. Thus, it is possibleto make it further difficult to presume the value of the private key bythe TA (Timing Attack), DPA (Differential Power Analysis), SPA (SimplePower Analysis), or the like.

The expression converting program 1010 can be executed every time justbefore the ECDSA signature forming program 14001 is executed, can bealso executed every time just after the ECDSA signature forming program14001 was executed, can be also executed each time the ECDSA signatureforming program 14001 was executed several times, or can be executed ata random timing irrespective of the execution of the ECDSA signatureforming program 14001. As a countermeasure against the TA (TimingAttack) or DPA (Differential Power Analysis) for the ECDSA signatureforming program 14001, it is desirable that an execution frequency ofthe expression converting program 1010 is large.

The details of the ECDSA signature forming program 14001 will now bedescribed.

FIG. 11 shows a flow for the ECDSA signature forming program 14001 inFIG. 10.

-   -   Step 15001: Start    -   Step 15002: Read the signature target message 14002 from the        outside of the IC card 1001.    -   Step 15003: Obtain a Hash value h of the message by using the        signature target message 14002 as an input of a Hash function.    -   Step 15004: Read the private key partial information d_(A) 1007        and private key partial information d_(B) 1008 from the data        storing unit 1004.    -   Step 15005: Form the random number k (0<k<n).    -   Step 15006: Calculate (x, y) kP.    -   Step 15007: Set r=x (mod n).    -   Step 15008: Calculate s_(A)=k⁻¹(d_(A)r+2h) (mod n).    -   Step 15009: Calculate s_(B)=k⁻¹(d₈r+h) (mod n).    -   Step 15010: Calculate s=s_(A)−s_(B) (mod n).    -   Step 15011: Output (r, s) as a digital signature.    -   Step 15012: End

It should be noted here that although the value itself of the privatekey d, namely, d_(A)−d_(B) (mod n) never appears in the ECDSA signatureforming program 14001, since s obtained as a result satisfies$\begin{matrix}{s = {s_{A} - {s_{B}\left( {{mod}\quad n} \right)}}} \\{= {{k^{- 1}\left( {{d_{A}r} + {2\quad h}} \right)} - {{k^{- 1}\left( {{d_{B}r} + h} \right)}\left( {{mod}\quad n} \right)}}} \\{{= {{k^{- 1}\left( {{dr} + h} \right)}\left( {{mod}\quad n} \right)}},}\end{matrix}$the same result as that obtained by calculating by using the private keyd is derived.

As mentioned above, even in the embodiment, an effect similar to that inthe embodiment is obtained by performing the process which utilizes apoint that the private key has been separated into d_(A) and d_(B) andstored. This is because even if the private key is separated into theprivate key partial information and stored, for example, if the ECDSAsignature is once made by using the value of d obtained by thecalculation of d=d_(A)−d_(B), the effect is reduced.

Further, by changing the combination of the private key partialinformation d_(A) 1007 and private key partial information d_(B) 1008 asan expression of the private key d by the expression converting program1010 in a manner similar to the first embodiment, the execution time,the intensity of the generated electromagnetic wave, and the currentconsumption in the ECDSA signature forming program 14001, in moredetails, a multiplication d_(A)r in step 15008 and a multiplicationd_(B)r in step 15009 of the ECDSA signature forming program 14001 do notdepend on the value of the private key d itself. Therefore, such aneffect that it is further difficult to presume the value of the privatekey by the attack such as TA (Timing Attack), DPA (Differential PowerAnalysis), or the like is obtained.

Although the Hash value as a message digest of the signature targetmessage is obtained in the IC card 1001 in step 15003 of the ECDSAsignature forming program 14001 in the embodiment, this process can bealso executed by an external apparatus which can transmit and receiveinformation to/from the IC card 1001, for example, a PC or the likewhich can transmit and receive information to/from the IC card 1001 viaan IC card reader/writer. In this case, the Hash value of the signaturetarget message is inputted to the IC card.

In the embodiment, the random number k which is formed in step 15005 ofthe ECDSA signature forming program 14001 is also a value to be heldsecret. This is because there is a relation of s=k⁻¹(dr+h) (mod n) amongthe digital signature (r, s), private key d, random number k, and Hashvalue h, and r, s, and h among them are set to values which can be knownby everyone. This is because if the value of the random number k isknown, the value of the private key d is also known by the calculation.

Since there is a difference with respect to a point that although thevalue of the private key d is constant, the random number k is formed atrandom each time the signature is made, a possibility that the value ispresumed by the attack such as TA (Timing Attack), DPA (DifferentialPower Analysis), or the like is lower than that of the private key. Apoint that the value of the private key d is constant does notcorrespond to the specific expression but denotes the contents of theinformation which is inherently possessed.

The invention can be also applied to the random number k in order tofurther improve the safety. For example, the following operation can beperformed in a manner similar to the second embodiment. That is, thetable data is preliminarily calculated by the table data calculatingprogram 5001 in the second embodiment. In the embodiment, since it is atable regarding the base point P as a fixed point, the table data can bepreviously calculated, for example, outside of the IC card 1001 asmentioned in the description in the second embodiment.

After the random number k was formed in step 15005 of the ECDSAsignature forming program 14001, it is expressed as a combination ofk_(A) and k_(B), stored in the data storing unit 1004, and furtherconverted by the expression converting program. After that, (x, y) instep 15006 of the ECDSA signature forming program 14001 is calculated ina manner similar to the table lookup type elliptic curveencrypting/decrypting program 5002 in the second embodiment. It issufficient that the value k⁻¹ which is used in steps 15008 and 15009 ofthe ECDSA signature forming program 14001 is calculated, for example, asfollows. First, t=k_(B) ⁻¹−k_(A) ⁻¹ (mod n) is calculated. Subsequently,t⁻¹k_(A) ⁻¹k_(B) ⁻¹ (mod n) is calculated. It is equal to k⁻¹.

It should be noted that the value of k itself does not appear in thearithmetic operation to obtain k⁻¹. Thus, the time which is required forthe arithmetic operation to obtain k⁻¹, the intensity of the generatedelectromagnetic wave, and the current consumption do not depend on thevalue of k itself. Therefore, it is difficult to presume the value ofthe random number k by the attack such as TA (Timing Attack), DPA(Differential Power Analysis), or the like.

Although the example in which the invention is applied to the IC cardhaving the signature forming function of the ECDSA signature as a kindof digital signature has been shown in the embodiment, the invention canbe also widely applied to other media.

For example, as an elliptic curve which is used, another elliptic curvedescribed in the first embodiment can be also used. The invention is notlimited to the digital signature using the difficulty of the discretelogarithm problem on the elliptic curve but can be also applied to adigital signature using the difficulty of the discrete logarithm problemon the other groups mentioned in the first embodiment.

More generally, when there is a homomorphic mapping f from a group G1 toa group G2 and there is an apparatus for calculating an element f(g) ofthe group G2 from an element g of the group G1 to be secretly heldinstead of the digital signature, a possibility that g is presumed bythe TA (Timing Attack), DPA (Differential Power Analysis), SPA (SimplePower Analysis), or the like for such an apparatus can be reduced, forexample, as follows according to the invention.

First, g is expressed by a combination of g1 and g2 which satisfyg=g1·g2 (·denotes an arithmetic operation of the group G1) and stored inthe data storing unit.

Subsequently, with respect to an element h of G1 selected at random, aprogram for calculating g1′=h·g1 and g2′=h⁻¹·g2 (h⁻¹ indicates aninverse element of h regarding an arithmetic operation·of the group G1)and replacing g1 with g1′ and g2 with g2′ is executed. This program iscalled an expression converting program. Finally, f(g1)#f(g2) (# denotesan arithmetic operation of the group G2) is calculated to obtain thevalue of f(g). Since f denotes the homomorphic mapping, f(g1)#f(g2) isequal to f(g).

As mentioned above, each time the expression converting program isproperly executed, each of the time which is required for the subsequentprocess to obtain the value of f(g), the intensity of the generatedelectromagnetic wave, and the current consumption is made different.Thus, it is difficult to presume the value of the private key by the TA(Timing Attack), DPA (Differential Power Analysis), SPA (Simple PowerAnalysis), or the like. The homomorphic mapping is a mapping from thegroup to the group and is a mapping such as to keep the arithmeticoperation.

Sixth Embodiment

An embodiment in which the invention is applied to the transmission andreception of a message in an electronic commerce will now be describedhereinbelow with reference to the drawings.

In the following embodiment, processes in the case where a card holderas a general consumer issues a purchasing request of goods to a merchantas a shop will be described. FIG. 12 is a system constructional diagramin the embodiment. In FIG. 12, a computer 16002 of the card holder as ageneral consumer, a computer 16003 of the merchant as a shop, and anauthenticating station 16004 are connected to the network 16001. Theauthenticating station is facilities for issuing a certificate toguarantee the validity of the public key.

The computer 16002 of the card holder comprises a CPU 16005 and a memory16006. A display 16007, a keyboard 16008, and an IC card reader/writer16009 are connected to the computer 16002. The computer 16002 isconnected to the network 16001. The card holder owns an IC card 16010for signature. The IC card 16010 for signature and computer 16002 cantransmit and receive information through the IC card reader/writer16009. The IC card 16010 for signature is the same as the IC card shownin the fifth embodiment.

The computer 16003 of the merchant comprises a CPU 16011 and a memory16012. A display 16013 and a FU keyboard 16014 are connected to thecomputer 16003. The computer 16003 is connected to the network 16001.

A public key 16015 has been stored in the memory 16006 of the computer16002 of the card holder in a form to which the invention is applied.Information and a program regarding the private key which forms a pairtogether with the public key 16015 have been stored in a memory of theIC card 16010 for signature owned by the card holder in a form to whichthe invention is applied. Those information is set by a method wherebyan IC card in which the information and program regarding the privatekey have previously been written and a recording medium such as FD,CD-ROM, or the like in which the public key information has been storedare sent from a card issuer, for example, a credit company. The publickey information can be also sent from a transmission medium in awired/wireless manner or the like. A key forming function is built inthe IC card sent from the card issuer and the card holder executes sucha function, so that the public key information can be also set. A keyforming program which can be executed on the computer of the card holderis sent from the card issuer by a recording medium such as FD, CD-ROM,or the like or a transmission medium in a wired/wireless manner or thelike, the card holder executes such a program, and the public keyinformation can be also set into the IC card which is sent. In case ofthe method of using the IC card with the key forming function, since theinformation regarding the private key does not leak to the outside ofthe IC card, this method is most desirable from a viewpoint of security.It is assumed that the private key in the IC card has been stored by thestoring method to which the invention is applied in a manner similar tothe fifth embodiment. The expressing method of the secret information bythe secret information forming information to which the embodiment isapplied and the program for processing the secret information forminginformation can be made different in dependence on each IC card or canbe made coincident. The safety is further improved by making themdifferent.

A signature verifying program 16018 and a system key 16019 havepreviously been set in the memory 16012 of the computer 16003 of themerchant. It is assumed that they have been preset in correspondence tothe IC card 16010 for signature owned by the card holder. The details ofthe signature verifying program 16018 have been disclosed in theliterature [X9.62].

Processes which are executed by the card holder will now be described.

The card holder first sends the public key 16015 in order to request theauthenticating station 16004 to issue a public key certificate 16016. Inresponse to the request from the card holder, the authenticating station16004 issues the public key certificate 16016 by a well-known method andsends it to the computer 16002 of the card holder. This process is aprocess which is necessary only once for one public key. In other words,such a process is not necessary each time the process for transmitting apurchasing request message is executed. Since a step of forming adigital signature is included in a procedure for issuing the public keycertificate by the authenticating station, the invention can be alsoapplied to such a step.

Processes in the case where the card holder transmits the purchasingrequest message to the merchant will now be described.

The computer 16002 of the card holder forms a purchasing request message16017 and stores it into the memory 16006. The purchasing requestmessage 16017 is sent to the IC card 16010 for signature via the IC cardreader/writer 16009, thereby forming a digital signature 16020 inaccordance with the method of the invention. The digital signature 16020is also stored in the memory 16006.

The digital signature 16020 becomes a proof showing the fact that thecontents of the purchasing request message 16017 was certainly confirmedby the card holder and corresponds to a print of a seal in the ordinarypaper document. That is, the private key stored in the IC card 16010 forsignature corresponds to the seal to the ordinary paper document.Therefore, if a person with a malice finds out the private key stored inthe IC card 16010 for signature, he pretends to be a card holder as alegal owner and can request a purchase.

According to the embodiment, it is difficult to presume the private keyby those attacking methods to the IC card for signature as mentionedabove.

After the computer 16002 of the card holder formed the digital signature16020, it collectively sends the purchasing request message 16017,public key 16015, public key certificate 16016, and digital signature16020 as a transmission sentence 16021 to the merchant via the network16001.

When the transmission sentence 16021 is received, the merchant firstconfirms that the public key 16015 is legal by using the public keycertificate 16016 by a well-known method and, thereafter, executes thesignature verifying program 16018, thereby discriminating whether thepurchasing request message 16017 was certainly formed by the card holderor not by using the digital signature 16020, public key 16015, systemkey 16019, or the like. Thus, if the validity of the digital signature16020 is confirmed, it is regarded that the contents of the purchasingrequest message 16017 are reliable, and the transaction is continued. Ifthe validity of the digital signature 16020 is not confirmed, it isregarded that there is some illegality such that it was altered in thenetwork 16001, the purchasing request message 16017 was formed by aperson other than the legal card holder, or the like, so that thetransaction is stopped.

INDUSTRIAL APPLICABILITY

According to the invention, it is possible to provide an arithmeticoperating method and an information holding method which are safe fromvarious attaching methods and an ic card, a security module, asemiconductor chip, a system, a computer, and a program using thosemethods.

1. A processing apparatus of secret information constructed by anarithmetic operation processing circuit, a storing circuit, and a signalline connecting said processing and storing circuits, in which saidprocessing apparatus of the secret information obtains a same processingresult as would be obtained by processing the secret information anddata as a processing target by a conventional processing method, whereinsaid storing circuit holds: secret information forming informationdifferent from said secret information, and secret information forminginformation processing means for outputting said processing result byusing said secret information forming information and said data servingas a processing target without allowing said secret information toappear in said arithmetic operation processing circuit, said storingcircuit, and said signal line, and said arithmetic operation processingcircuit executes said secret information forming information processingmeans, wherein said storing circuit further has converting means forconverting said secret information forming information into anothersecret information forming information, and said another secretinformation forming information is information for allowing said secretinformation forming information processing means to output said sameprocessing result.
 2. An apparatus according to claim 1, wherein saidsecret information is a private key for decrypting or forming a digitalsignature in a public key encryption technique.
 3. An apparatusaccording to 1, wherein said arithmetic operation processing circuitexecutes said converting means at a predetermined timing.
 4. Anapparatus according to claim 1, wherein said storing circuit holds saidsecret information forming information as a plurality of secretinformation partial information.
 5. A processing program of secretinformation in a processing apparatus constructed by an arithmeticoperation processing circuit, a storing circuit, and a signal lineconnecting said processing and storing circuits, in which saidprocessing program of the secret information obtains a same processingresult as would be obtained by processing the secret information anddata as a processing target by a conventional processing method, whereinsaid arithmetic operation processing circuit is allowed to output saidprocessing result by using secret information forming informationdifferent from said secret information and said data serving as aprocessing target without allowing said secret information to appear insaid arithmetic operation processing circuit, said storing circuit, andsaid signal line, and converting means for converting said secretinformation forming information into another secret information forminginformation, wherein said processing program of secret informationoutputs said same processing result by using said another secretinformation forming information.
 6. A program according to claim 5,wherein said processing program of secret information processes aplurality of secret information partial information as said secretinformation forming information.
 7. A program according to claim 5,wherein said secret information is a private key for decrypting orforming a digital signature in a public key encryption technique.
 8. Aprogram according to claim 5, wherein said arithmetic operationprocessing circuit executes said converting means at a predeterminedtiming.
 9. A processing system of secret information for transmittingand receiving a processing result by using a processing apparatus ofsecret information constructed by an arithmetic operation processingcircuit, a storing circuit, and a signal line connecting said processingand storing circuits, in which said processing result obtained by saidprocessing apparatus of the secret information is the same as would beobtained by processing the secret information and data as a processingtarget by a conventional processing method, wherein said storing circuitholds: secret information forming information different from said secretinformation, and secret information forming information processing meansfor outputting said processing result by using said secret informationforming information and said data serving as a processing target withoutallowing said secret information to appear in said arithmetic operationprocessing circuit, said storing circuit, and said signal line, and saidarithmetic operation processing circuit executes said secret informationforming information processing means, wherein said storing circuitfurther has converting means for converting said secret informationforming information into another secret information forming information,and said another secret information forming information is informationfor allowing said secret information forming information processingmeans to output said same processing result, wherein an apparatus on areceiver side of said processing result has means for setting saidsecret information forming information processing means and said secretinformation forming information into said storing circuit of saidprocessing apparatus, and an apparatus on a user side of the processingapparatus comprises means for inputting the data serving as a processingtarget to said processing apparatus, means for receiving said processingresult from said processing apparatus, and means for transmitting saidreceived processing result to said receiver side apparatus.
 10. Anapparatus for processing secret information, comprising: a storingcircuit holding secret information forming information havingrelationship with regard to said secret information and being able toform said secret information, and an arithmetic operation processingcircuit which comprises: conversion means for converting said secretinformation forming information to other secret information forminginformation having relationship with regard to said secret informationand used to form said secret information; processing means for executinga step of calculating a latest intermediate data for one or a pluralityof times and a step of calculating a processing result by using thelatest intermediate data, wherein said step of calculating the latestintermediate data comprises: a step of calculating the latestintermediate data different from said secret information by using aprocessing target, said other secret information forming information andinitial data; and a step for replacing the initial data by thecalculated latest intermediate data.
 11. An apparatus according to claim10, wherein said storing circuit in use holds said secret informationforming information as a plurality of secret information partialinformation.
 12. An apparatus according to claim 11, wherein saidprocessing means operates to output a same processing result of saidprocessing result.
 13. An apparatus according to claim 10, wherein saidprocessing means operates to output same processing result of saidprocessing result.
 14. An apparatus according to claim 10, wherein saidsecret information is a private key for decrypting or forming a digitalsignature in a public key encryption technique.
 15. An apparatusaccording to claim 10, wherein said arithmetic operation processingcircuit executes said converting means at a predetermined timing.